Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

A wide swath of the net’s top websites, including MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd, were sued in federal court Friday on the grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.

At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These “zombie” cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately.

Flash cookies are used by many of the net’s top websites for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use. (Disclosure: The last time we reported on this issue, we found that Wired.com used one to set video preferences.)

The lawsuit (.pdf), filed in U.S. district court in San FranciscoCentral California, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a “pattern of covert online surveillance” and seeks status as a class action lawsuit. The lawsuit was filed by Joseph Malley, a privacy activist lawyer who also played key roles in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program and a settlement with Netflix after the company gave imperfectly anonymized data to contestants in a movie recommendation contest.

“The objective of this scheme was the online harvesting of consumers’ personal information for Defendants’ use in online marketing activities,” wrote Malley, who called the technique “as simple as it was deceptive and devious.”

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Adobe’s Flash software is installed on an estimated 98 percent of personal computers, and has been a key component in the explosion of online video, powering video players for sites such as YouTube and Hulu.

Websites can store up to 100 kilobytes of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback.

QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user’s old number and reapply it so the customer’s browsing history around the net would not be cut off.

Quantcast’s behavior stopped last August, after Wired.com reported on the research from then-grad student Ashkan Soltani.

Quantcast is used by thousands of sites to measure the number of unique visitors and to get information on the kinds of people visiting their site — athletic, older, interested in food, etc.

The lawsuit seeks unspecified damages and a court order requiring the companies to delete data collected, stop the practice in the future and provide an easy way to opt out.

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, and the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it actually is the control for your computer, not just a tutorial on how to use the control.

Firefox users can prevent or delete Flash cookies using a free add-on called BetterPrivacy.

Scribd, Hulu, and ESPN both declined to comment, saying they had not yet been served with the lawsuit.

Quantcast and MTV’s parent company, Viacom, did not respond to requests for comment.

The case number is 10-CV-5484, U.S. District Court for the Northern District of California.